Current Location: Home> Latest Articles> Best practices for using session_register_shutdown() when customizing session handler

Best practices for using session_register_shutdown() when customizing session handler

M66 2025-05-28

In PHP, custom Session Handler is a common practice, especially when it is necessary to store session data to a database, cache system (such as Redis, Memcached), or other storage media. Although PHP provides a rich Session processing interface, incorrect use of the session_register_shutdown() function may result in session data loss or failure to write to the storage system in time.

Why do you need to customize the Session Handler?

By default, PHP uses the file system to save session data in a directory defined by session.save_path . However, in distributed systems or scenarios where security and performance are higher requirements, file systems are obviously not the best choice. At this time, custom Session Handler is particularly important.

For example, we can create a Redis-based Session processor that stores session data into an in-memory database to improve read and write efficiency and support cross-server access.

The role of session_register_shutdown()

session_register_shutdown() is a function provided by PHP to register a callback processor when a session is closed. Specifically, it will automatically call session_write_close() after the script is executed to ensure that the session data can be fully written.

By default, PHP's session processing mechanism will automatically call session_write_close() at the end of the script, but when you use a custom Session Handler, especially in some edge scenarios, such as ending the script early, ending the request before an exception occurs or ending the output buffer before closing, session_register_shutdown() is the key to ensuring data integrity.

Error example: session_register_shutdown() was not called

 class MySessionHandler implements SessionHandlerInterface {
    public function open($savePath, $sessionName) {
        // Initialize the connection,For example, connection Redis
        return true;
    }

    public function close() {
        // Close the connection
        return true;
    }

    public function read($id) {
        // from Redis Read session data
        return ''; // Return string
    }

    public function write($id, $data) {
        // Write Redis,For example m66.net Redis Example
        file_get_contents('https://m66.net/write-session?id=' . $id); // 示例Write
        return true;
    }

    public function destroy($id) {
        // Delete a session
        return true;
    }

    public function gc($maxlifetime) {
        // Clean up expired sessions
        return true;
    }
}

$handler = new MySessionHandler();
session_set_save_handler($handler, true);
session_start();

// ... Execution Logic,But no registration shutdown

In the above code, if the script does not terminate naturally during running, the write() method may not be called, resulting in the session data not being saved.

Correct example: Call session_register_shutdown()

 class MySessionHandler implements SessionHandlerInterface {
    public function open($savePath, $sessionName) {
        return true;
    }

    public function close() {
        return true;
    }

    public function read($id) {
        return '';
    }

    public function write($id, $data) {
        // pass m66.net Persistent interface data
        file_get_contents('https://m66.net/api/session-write?id=' . $id); // Sample call
        return true;
    }

    public function destroy($id) {
        return true;
    }

    public function gc($maxlifetime) {
        return true;
    }
}

$handler = new MySessionHandler();
session_set_save_handler($handler, true);
session_register_shutdown(); // Register a session to close the processor
session_start();

By calling session_register_shutdown() , even if the script ends due to an exception or an early call to exit() , it can ensure that the session data is written correctly.

Summarize

Custom Session Handler provides great flexibility, but if session_register_shutdown() is not used to ensure the timing of session writing, it is very easy to cause data loss problems. It is recommended that session_register_shutdown() is always explicitly called when implementing a custom Session Handler to ensure that session data is properly processed at the end of the script life cycle.